Thousands of Android apps can ‘collude’ to leak information, research shows

Virginia Tech researchers have produced evidence showing that thousands of Android applications can “collude” to share and leak information stored on smartphones without user permission.

Gang Wang, an assistant professor at the university’s Department of Computer Science, described the new research as a breakthrough.

“This is the first time we’ve found real-world evidence that apps are colluding with one another,” Wang told The Hill on Monday. “Apps are talking to each other to get information when they don’t have permission to do so.”

Prototyping has in the past shown that apps can be developed to collude with one another, but the new research represented the first large-scale security analysis of data flows between Android apps currently on the market.

The research team analyzed over 110,000 Android apps over a three-year period to see how they exchange information.

The most risky type of collusion identified by the researchers involves apps both sharing information without the smartphone owner’s permission and then leaking it out onto the internet. They found roughly 16,000 pairs of apps that could potentially “collude” in this way, according to the study released on Monday, a relatively small amount when considering the number of apps analyzed.

Still, Wang noted that the research has significant implications for data security and privacy.

“Users are typically not aware of this type of behavior because it is designed to be stealthy,” he said.

Wang gave the example of a flashlight app, which does not need to know your location but could access the information from another app by colluding with it. A flashlight app also does not need to have a network connection, but could subsequently share the location information with another app that needs a network connection to leak it out onto the Internet.

“Thousands of apps are involved in this type of collusion,” Wang observed.

It is difficult for the researchers to determine whether apps are intentionally designed to collude in this way or have bugs or design flaws that cause them to unintentionally allow access to information, Wang said. While some apps appeared to be allowing others to access information unintentionally, some pairs — particularly those designed by the same developers — seemed to be maliciously designed to do so.

The research found that the most common type of information leaked out was related to an individual’s physical ID, location information, or current network information — that data having to do with “who you are and where you are,” Wang noted.

The researchers developed a tool called DIALDroid to perform the security analysis on the data flows between the apps, many of them among the most popular on Google Play.

The study was funded by the Defense Department agency that focuses on development of advanced technology for use in the military, known as the Defense Advanced Research Projects Agency.

The team involved a number of researchers at Virginia Tech as well as an assistant professor at Southern Illinois University.